Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Have you tried it on any of your machines? Seems like something like this would be worth the effort of setting up a standalone test. That's my 2 cents. BTW, I'm assuming that you are not going to be indexing any of the files, you are just looking for changes, right? (in other words fullEvent=false), you question doesn't indicate either way.

As for testing, nope. The client wants it, but I don't know if we have access to any "typical" servers that are not production. I doubt my laptop would be a similar enough environment to their servers.

1 Answer

If you just want changes, it may be much better to enable Windows FS auditing and use Splunk to monitor the Windows Security Event Log for changes instead. The overhead is much lower, and you will catch changes that Splunk will not catch, as the audit is generated by the filesystem itself rather than by polling.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.